daknetworks.com

You are here: Blog Force Email Through MobileIron On Mobile Devices

Force Email Through MobileIron On Mobile Devices

Let's say you have a budget for mobile device management (MDM) and you want more control than what is built into Exchange. There are a few options to choose from but MobileIron is a popular path.

To get it setup, I recommend the Setup Services that MobileIron offers. Thinking that you'll be able to correctly navigate through this forest needs to be set aside. There's simply too much unless you have previous experience.

Once devices are enrolled into MobileIron, the goal is that the only way to get company email is through Outlook on a company-owned system or through MobileIron on a company-owned mobile device.

Mobile devices connect to Exchange through ActiveSync. Mobile devices will connect to a Sentry server (rather than through Exchange server) that limits access to Exchange server. So the idea here is to only allow access through the Sentry server and shut off all other access.

Here's howL

First, on the Exchange server, install the IP AND DOMAIN RESTRICTIONS:

  • -on the on premise Exchange server, open the SERVER-MANGER.
  • -click ADD ROLES AND FEATURES.
  • -click NEXT > NEXT > NEXT.
  • -expand WEB SERVER (IIS) > WEB-SERVER > SECURITY.
  • -checkmark IP AND DOMAIN RESTRICTIONS.
  • -wait for it to finish.

Great! Next, on the Exchange server, add the Sentry server to the ALLOW:

  • -open IIS.
  • -expand SITE > DEFAULT WEB SITE > MICROSOFT-SERVER-ACTIVESYNC
  • -click ADD ALLOW ENTRY.
  • -type in the ip address of the Exchange server.

Great! Now let's block everything else:

  •  -click EDIT FEATURE SETTINGS (on the right-hand side).
  • -find ACCESS FOR UNSPECIFIED CLIENTS.
  • -change to DENY.
  • -click OK.
  • -run CMD-AS-ADMIN.
  • -type: iisreset

That's it! You devilish fool, now you've done it. You've disabled webmail/OWA and you've disabled ActiveSync except through MobileIron. Now that is one step closer to following ISO 27001, DFARS and overall security.

NOTES:

https://bayton.org/docs/enterprise-mobility/infrastructure/restricting-access-to-exchange-activesync/

Contact Dak Networks

Please contact us at the following.